Manual Chapter :
Install and License BIG-IQ Centralized Management
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.2.0, 8.1.0
Install and License BIG-IQ Centralized Management
Prepare to license BIG-IQ and perform initial set up tasks
To manage your BIG-IP devices using BIG-IQ, you deploy a BIG-IQ system
and then configure it to meet your business needs.
To deploy a BIG-IQ system, you:
- Prepare your network environment and architecture (refer toBefore you deploy a BIG-IQ solutioninPlanning a BIG-IQ Centralized Management & Visibility Deploymentonsupport.f5.comfor details).
- Install and configure the platform you plan to install your software on. The platform can either be a physical device or a virtual device. To use a physical device, you need a BIG-IQ 7000 series device. To use a virtual device, the solution you choose depends on the environment you use. Supported platforms for this release are listed below. Use the guide appropriate for your platform to complete the installation. These guides are posted onsupport.f5.com.If you choose this platform:Refer to this guide for installation details:BIG-IQ 7000 SeriesPlatform Guide: BIG-IQ 7000 SeriesAmazon Web ServicesF5 BIG-IQ Centralized Management and Amazon Web Services: SetupCitrix XenServer:F5 BIG-IQ Centralized Management and Citrix XenServer: SetupKVMF5 BIG-IQ Centralized Management and Linux KVM: SetupMicrosoft AzureF5 BIG-IQ Centralized Management and Microsoft Azure: SetupMicrosoft Hyper-VF5 BIG-IQ Centralized Management and Microsoft Hyper-V: SetupVMware NSX-VF5 BIG-IQ Centralized Management and VMware ESXi: SetupXen ProjectF5 BIG-IQ Centralized Management and Linux Xen Project: Setup
- Deploy, license, and configure the number of BIG-IQ systems you need depending on your high availability and data center requirements.
How do I license BIG-IQ to manage BIG-IP devices?
After you download the software image from the F5 Downloads site and
start BIG-IQ in your virtual environment, you can license the system using the base
registration key provided by F5. The
base registration
key
is a character string the F5 license server uses to provide BIG-IQ a license
to access the subscription licensing feature. You license BIG-IQ in one of the following ways:
- If the system has access to the Internet, you can have the BIG-IQ system contact the F5 license server and automatically activate the base registration key to get a license.
- If the system is not connected to the Internet, you can manually license the BIG-IQ using the F5 license server web portal.
- If the system is in a closed-circuit network (CCN) that does not allow you to export any encrypted information, you must open a case with F5 support at: support.f5.com/csp/my-support/home.
Automatic license and initial setup for BIG-IQ systems
You must have a base
registration key before you can license the BIG-IQ system. If you do not have a base
registration key, contact the F5 Networks sales group (
f5.com
). After you set up your BIG-IQ VE or
set up your BIG-IQ 7000 Series, you can install the BIG-IQ software license.If the BIG-IQ system is connected to the public internet, you can follow these steps to
automatically perform the license activation and perform the initial setup.
- Use a browser to log in to BIG-IQ by typinghttps://, where<management_IP_address><management_IP_address>is the address you specified for device management.The first time you log in to the BIG-IQ, you useadminfor theUsernameandPassword; but then you must change the admin password.
- Change the default admin password.
- ForCurrent Password, typeadmin.
- Type a new password in theNew PasswordandRe-type New Passwordfields.
- ClickSave. BIG-IQ changes the admin password and then displays the initial log in page.
- Login to the BIG-IQ user interface using your new password.
When you change the admin password as part of an initial login, BIG-IQ also resets the root password to match it. During initial setup, you can change them both again. - SelectLicense.
- InBase Registration Keybox, paste the BIG-IQ registration key.
- InAdd-On Keys, paste any additional license key you have.
- To add another additional add-on key, click the+sign and paste the additional key in the newAdd-On Keysfield.
- ForActivation Method, selectAutomatic, click theActivatebutton, and then click theNextbutton.If you are setting up BIG-IQ for the first time, the Accept User Legal Agreement screen opens. To accept the license agreement, click theAgreebutton, and then click theNextbutton.BIG-IQ displays the Master Key page.
- Type aPassphrasethat satisfies the requirements specified on screen, and then type the same phrase forConfirm Passphrase, and then click theNextbutton.BIG-IQ uses the passphrase to generate a master key. For a BIG-IQ high availability (HA) configuration, this passphrase must be the same on all BIG-IQ systems or they won't be able to communicate with each other.
- Make sure you keep track of the passphrase, because it cannot be recovered if you lose it.
- You must have the passphrase used to generate the master key before you can change the master key.
- Finally, when you backup and restore a BIG-IQ, the master key is backed up with the rest of the data, and you cannot restore that data onto a BIG-IQ that has a different master key.
If you are setting up a Microsoft Azure VE, and you type an entry in any of the fields, you will not be able to continue successfully. The only way to proceed is to leave all of the fields empty and click theNextbutton at the bottom of the screen. This allows the system to use the first-time access credentials you specified previously. - Specify an (optional) admin and root password and click theNextbutton.
- For System Personality, selectBIG-IQ Central Managementand click theNextbutton.You cannot undo this choice. Once you license a device as a BIG-IQ Central Management, you can't change your mind and license it as a BIG-IQ Data Collection Device.
- In theHostnamebox, type a fully-qualified domain name (FQDN) for the system.The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
- Type theManagement Port Route.The management port IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:10.10.10.10/24.
- Select an option for what you want BIG-IQ to use for theDiscovery Address.BIG-IQ uses this address for bi-lateral communication with its managed BIG-IP devices.When choosing whether to use the management port or a self IP address, consider the long-term ramifications. Changing the discovery address is a lengthy process that includes rediscovering all managed BIG-IP devices. If your deployment includes a data collection device (DCD) cluster, you would also need to reset and rebuild the entire cluster to change the discovery address for this BIG-IQ.
- To use the management port, selectUse Management Address.
- To use the internal self IP address, selectSelf IP Address, and type the IP address.If the BIG-IQ is configured to use a self IP address for device discovery and that address cannot be found, BIG-IQ will use the management IP address instead.If you are configuring BIG-IQ to manage applications in a service scaling group (SSG), use the internal self IP address.If you plan to manage both IPv4 and IPv6 devices, you must configure an additional interface. BIG-IQ does not manage both protocols on the same interface. You can use a self IP address for this. So if your deployment includes DCDs, your discovery address will use one internal self IP address and you will need to add a second self IP to facilitate discovery of both protocol types.The self IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:10.10.10.10/24.
- If you want to create a self IP address, click theCreatebutton in theSelf IPssection.
- If you want to associate a VLAN with the new self IP address, clickCreatebutton in theVLANssection.
- Click theNextbutton at the bottom of the screen.
- In theDNS Lookup Serversfield, type the IP address of your DNS server.You can click theTest Connectionbutton to verify that BIG-IQ can reach that IP address.
- In theDNS Search Domainsfield, type the name of your search domain.The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
- In theTime Serversfield, type the IP addresses of your Network Time Protocol (NTP) server.You can click theTest Connectionbutton to verify that BIG-IQ can reach the IP address.
- From theTime Zonelist, select your local time zone, then clickNext.
- After you review the details, clickLaunchand then clickRestartto confirm.
Manual license and initial setup for BIG-IQ systems
You must have a base
registration key before you can license the BIG-IQ system. If you do not have a base
registration key, contact the F5 Networks sales group (
f5.com
). After you set up your BIG-IQ VE or
set up your BIG-IQ 7000 Series, you can install the BIG-IQ software license.If the BIG-IQ system is not connected to the public internet, you can follow these steps
to contact the F5 license web portal then perform the initial setup.
- Use a browser to log in to BIG-IQ by typinghttps://, where<management_IP_address><management_IP_address>is the address you specified for device management.The first time you log in to the BIG-IQ, you useadminfor theUsernameandPassword; but then you must change the admin password.
- Change the default admin password.
- ForCurrent Password, typeadmin.
- Type a new password in theNew PasswordandRe-type New Passwordfields.
- ClickSave. BIG-IQ changes the admin password and then displays the initial log in page.
- Login to the BIG-IQ user interface using your new password.
When you change the admin password as part of an initial login, BIG-IQ also resets the root password to match it. During initial setup, you can change them both again. - SelectLicense.
- ForActivation Method, selectManualand click theGet Dossierbutton.The BIG-IQ system refreshes and displays the dossier in theDevice Dossierfield.
- Select and copy the text displayed inDevice Dossier.
- Click theClick here to access F5 Licensing Serverlink.The Activate F5 Product site opens.
- Into theEnter your dossierfield, paste the dossier.Alternatively, if you saved the file, click theChoose Filebutton and navigate to it.
- ClickNext.
- If you are setting up this device for the first time, the Accept User Legal Agreement screen opens. To accept the license agreement, selectI have read and agree to the terms of this license, and clickNext. The licensing server creates the license key text.
- If you have set up this device before, the licensing server goes right to generating the license text.
- Copy all of the text from the text box. This is your manual license key.
- In theLicense Textfield on BIG-IQ, paste the license text.
- Click theActivatebutton.
- Click theNextbutton at the bottom of the screen.
- Type aPassphrasethat satisfies the requirements specified on screen, and then type the same phrase forConfirm Passphrase, and then click theNextbutton.BIG-IQ uses the passphrase to generate a master key. For a BIG-IQ high availability (HA) configuration, this passphrase must be the same on all BIG-IQ systems or they won't be able to communicate with each other.
- Make sure you keep track of the passphrase, because it cannot be recovered if you lose it.
- You must have the passphrase used to generate the master key before you can change the master key.
- Finally, when you backup and restore a BIG-IQ, the master key is backed up with the rest of the data, and you cannot restore that data onto a BIG-IQ that has a different master key.
If you are setting up a Microsoft Azure VE, and you type an entry in any of the fields, you will not be able to continue successfully. The only way to proceed is to leave all of the fields empty and click theNextbutton at the bottom of the screen. This allows the system to use the first-time access credentials you specified previously. - Specify an (optional) admin and root password and click theNextbutton.
- For System Personality, selectBIG-IQ Central Managementand click theNextbutton.You cannot undo this choice. Once you license a device as a BIG-IQ Central Management, you can't change your mind and license it as a BIG-IQ Data Collection Device.
- In theHostnamebox, type a fully-qualified domain name (FQDN) for the system.The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
- Type theManagement Port Route.The management port IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:10.10.10.10/24.
- Select an option for what you want BIG-IQ to use for theDiscovery Address.BIG-IQ uses this address for bi-lateral communication with its managed BIG-IP devices.When choosing whether to use the management port or a self IP address, consider the long-term ramifications. Changing the discovery address is a lengthy process that includes rediscovering all managed BIG-IP devices. If your deployment includes a data collection device (DCD) cluster, you would also need to reset and rebuild the entire cluster to change the discovery address for this BIG-IQ.
- To use the management port, selectUse Management Address.
- To use the internal self IP address, selectSelf IP Address, and type the IP address.If the BIG-IQ is configured to use a self IP address for device discovery and that address cannot be found, BIG-IQ will use the management IP address instead.If you are configuring BIG-IQ to manage applications in a service scaling group (SSG), use the internal self IP address.If you plan to manage both IPv4 and IPv6 devices, you must configure an additional interface. BIG-IQ does not manage both protocols on the same interface. You can use a self IP address for this. So if your deployment includes DCDs, your discovery address will use one internal self IP address and you will need to add a second self IP to facilitate discovery of both protocol types.The self IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:10.10.10.10/24.
- If you want to create a self IP address, click theCreatebutton in theSelf IPssection.
- If you want to associate a VLAN with the new self IP address, clickCreatebutton in theVLANssection.
- Click theNextbutton at the bottom of the screen.
- In theDNS Lookup Serversfield, type the IP address of your DNS server.You can click theTest Connectionbutton to verify that BIG-IQ can reach that IP address.
- In theDNS Search Domainsfield, type the name of your search domain.The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
- In theTime Serversfield, type the IP addresses of your Network Time Protocol (NTP) server.You can click theTest Connectionbutton to verify that BIG-IQ can reach the IP address.
- From theTime Zonelist, select your local time zone, then clickNext.
- After you review the details, clickLaunchand then clickRestartto confirm.
Monitoring BIG-IP statistics in BIG-IQ
Visibility of statistics in BIG-IQ depends on the version of your managed BIG-IP devices. Devices running versions 13.1.X, or earlier, have limited statistics visibility support within BIG-IQ. Below outlines the compatibility and what to expect when accessing Analytics (AVR) data within BIG-IQ. For more information, see the supporting documentation found in the
BIG-IQ Centralized Management: Monitoring and Reports
guide.Statistics visibility of managed BIG-IP devices
The format in which statistics are presented in the BIG-IQ environment, depends on the managed version of BIG-IP and the service presented. Refer to the table to access statistics visibility, based on the managed device version. Ensure that the managed device configuration meets the requirements outlined below.
Application data is visible to SC (service cluster), Legacy, and AS3 configurations.
Minimum configuration requirements:
- BIG-IP Version 13.1.x or earlier
- Ports 22 and 443 on each BIG-IP device must be open for the BIG-IQ DCD to retrieve data.
- There must be a Data Collection Device (DCD) configured to your BIG-IQ.
- BIG-IP Version 13.1.0.5 or later
- You must have AVR provisioned for each BIG-IP device.
- It is strongly recommended that monitored applications and virtual servers are associated with an analytics profile (HTTP and/or TCP).
- BIG-IQ needs to provide access on Port 443 to receive BIG-IP AVR data.
- There must be a Data Collection Device (DCD) configured to your BIG-IQ.To view statistics, ensure that the licenses for your managed BIG-IP devices include root access. A BIG-IP license running in Appliance Mode, will not allow for statistics visibility in the BIG-IQ environment.
Where to view statistics
BIG-IP v12.1 | BIG-IP v13.0 | BIG-IP v13.1 | BIG-IP v13.1.0.5 | BIG-IP v14.0 | BIG-IP v14.1 | BIG-IP v15.0 or later | |
---|---|---|---|---|---|---|---|
Device Traffic | |||||||
Local Traffic (General) | |||||||
Local Traffic (HTTP) | Not available to this version | ||||||
Local Traffic (TCP) | Not available to this version | ||||||
DNS (General)* | |||||||
Network Firewall (General) + | Network Firewall information is provided by ACL, IP Reputation, and IPS. | ||||||
Network Firewall (ACL) | Not applicable to this version | ||||||
Network Security (IP Reputation) | Not applicable to this version | ||||||
Network Firewall (IPS) | Not applicable to this version | ||||||
Web Application Security (General) | |||||||
Web Application Security (Bot) | Not available to this version | ||||||
DDoS (Shared Security) | Not available to this version | ||||||
Behavioral DoS (Shared Security) | Not applicable to this version | Visible on the analytics tab of shared security virtual server dashboard. : Protected Objects : Selected Object Name *** | |||||
Application Summary | |||||||
Secure Web Gateway | Not available to this version | ||||||
SSLO** | Not available to this version | ||||||
Access |
*Top Charts are only available to BIG-IP version 13.1.0.5 or later
+
Does not require AVR on host device for visibility. **SSLO support is available to versions 5.4 to 8.2. Please note, SSLO support depends on the compatibility with the BIG-IP device.
***BIG-IP versions 14.1 only displays transaction outcomes/ L3 protocols (depending on virtual server configuration). Version 15.0 includes limited charts and metrics for Behavioral DoS. For more information see
Monitoring Behavioral DoS protection
.